Download Creating a Utilities Management Program

Document related concepts
no text concepts found
Transcript
Creating a Secure
Title
Healthcare
Environment
Scott Fox, CHFM, CHSP, CHEP
QHC- Senior Director, Facilities Management
Proprietary & Confidential
1
Creating a Sustainable Futurefor Healthcare Organizations
Security Course Objectives
• Explore the basics of the
Environment of Care
Security Management
Program
• Explore the organization’s
role in supporting
organization compliance to
security processes
Proprietary & Confidential
2
Do You Need a Security Management Program?
Proprietary & Confidential
3
You Tell Me!
When I was a boy, my momma
would send me down to a corner
store with $1, and I’d come back
with 5 potatoes, 2 loaves of
bread, 3 bottles of milk, a hunk of
cheese, a box of tea, and 6 eggs.
You can’t do that now…
Too many security cameras.
Proprietary & Confidential
4
“The Have To”- Safety and Security Related Regulatory Standards
• CMS §482.13(c)(2)The patient has the right to receive care in
a safe setting.
• Role of the Safety/Security Officer

Safety Officer is usually not the Patient Safety Officer
• Start with proactive risk assessment of high risk processes
and from credible external sources such as Sentinel Event
alerts to identify vulnerabilities.
• Includes ALL hospital entities and their grounds and
equipment

All campus locations
Proprietary & Confidential
5
Requirements for Safety and Security in the Environment of Care
• CMS §482.13(c)(2) The patient has the right to receive
care in a safe setting. Note this regulation applies to TJC
EP for security also.
• TJC EC. 01.01.01 EP3 The hospital has a written plan for
managing the following: The environmental safety of
patients and everyone else who enters the hospital’s
facilities.
Proprietary & Confidential
6
“Because They Said”- Litigation Avoidance
• Prospective patients and families are increasingly evaluating
hospitals, not only for the quality of care the hospital provides
• Now, more than ever, hospitals are being evaluated on the level of
protection provided the patient and their love ones during their
hospital stay
• With this in mind, it is increasingly
essential for organizations to
offer state-of-the-art security to
protect their patients, visitors,
and staff as well as providing
protection for the facility from
increased litigation
Proprietary & Confidential
7
“The Almighty Dollar”- Cost of Claims
• Most cases involve a hospital’s duty to take reasonable actions to prevent
foreseeable harm to those in its care.
• In cases involving hospital security, the plaintiff will allege
that by not providing adequate security the defendant hospital
was negligent and in gross disregard of the patient's
security or safety.
• The plaintiff also usually alleges
outrageous, inappropriate and reckless
conduct by the defendant, claiming the
hospital knew or should have known
that its lack of security and protocol
endangered the rights, safety or life of
the plaintiff.
Proprietary & Confidential
8
Organization Plan for Safety and Security
• Often hard to separate the two areas/plans
• Safety risks and vulnerabilities are usually associated with
structural issues in the physical
environment, performance of
everyday tasks, situations beyond
the hospital control (e.g. weather)
and issues that are most often accidental
• Security incidents are usually intentional


Examples include: theft, infant abduction and unrestricted access to
medications
Caused by individuals either inside or outside of the hospital
Proprietary & Confidential
9
What Is the Intent of a Safety and Security Program?
“Security is intended to reduce the probability of detrimental incidents, not
to eliminate all risks.
It is not static and can be viewed as a state or condition that fluctuates within
a continuum.
As environmental and human conditions change, so does the status of
protection.
It is this phenomenon that requires the constant reevaluation of any system
of protection.”
– Colling Hospital Security
Proprietary & Confidential
10
Goals of a Security Management Plan
• Protection of life and property
• Prevention of criminal/ illegal/
unethical activity or the violation of
protocol
• Detection and Investigation of
criminal activity or the violation of
protocol
• Addressing or apprehending
offenders
• Maintaining public order
• Providing patient assistance,
restraint, and safety
• Recovery of property, lost and found
Proprietary & Confidential
•
•
•
•
Crime prevention
Staff training and development
Compliance to ethical standards
Vehicular and pedestrian traffic
control
• Community relations and community
service
• Department administration
• Service support, medical support and
first responder functions
11
Security Risk Assessment: How Much Security Is Enough?
• Does your Security, Loss Prevention and/or Workplace Violence Prevention and
Response Program address your true threats, risks, and vulnerabilities? Does it
fit your unique culture, values, budget, and history?
• Are you spending more on security than you need to? Is your Security Program
a random blend of varying components deployed over time in response to
particular incidents and issues?
• Is your security program cost effective?
• Where to begin? How do you measure and evaluate your Security, Loss
Prevention or Workplace Violence Prevention and Response Program?
• A Comprehensive Security Risk Assessment (SRA) or Security Survey is the
ideal first step and can be a powerful countermeasure and deterrent in itself!
Proprietary & Confidential
12
Why Perform a Security Risk Assessment?
• Need to understand the real risks, threats and vulnerabilities and to
evaluate the effectiveness of existing and planned security measures
or a workplace violence program
• There has been a security loss incident or breach, violence, theft,
threat, attack or other compromise has occurred, and there is a need
to prevent or mitigate recurrence
• A significant change is occurring, such as a new process or building,
significant hiring or lay-offs, acquisition or merger, potential strike or
work stoppage, etc.
Proprietary & Confidential
13
Why Perform a Security Risk Assessment? (Continued)
• There is a heightened concern over a threat such as terrorism, internal
theft, activist attack or workplace violence or threat
• The firm or organization wishes to evaluate, benchmark, validate
and/or test existing security programs or assessment/audit
methodologies
Proprietary & Confidential
14
Five Steps of the Strategic Risk Assessment Process
1
2
3
4
5
Asset
Identification
Current
Security
Measures
Threat
Assessment
Vulnerability
Assessment
Risk
Assessment
Policies &
Procedures
Proprietary & Confidential
Physical
Security
Security
Personnel
Crime
Analysis
Cost
Benefit
Analysis
Report &
Recommendations
15
Asset Identification
Strategic Risk Assessment Process
Asset
Identification
Policies &
Procedures
Proprietary & Confidential
Current
Security
Measures
Physical
Security
Threat
Assessment
Security
Personnel
Crime
Analysis
Vulnerability
Assessment
Cost
Benefit
Analysis
Risk
Assessment
Report &
Recommendations
16
Asset Identification
People
• Patients
• Staff
• Visitors
Proprietary & Confidential
Property
• Tangible
• Intangible
Information
• Medical
Record
• Data
17
A Strategic and Systematic Approach to the
Hospital Security Program Is Absolutely Necessary
HVA, Risk Assessments, FMEAs
External to the Facility
Internal to the Facility
Proprietary & Confidential
18
Risk Assessment Team
• The risk assessment team should identify each component of the security
program, what asset(s) it used to protect, and its level of effectiveness
• There are two methods for inventorying current security measures:

Inside-out and Outside-in

Using the outside-in approach, the Risk Assessment Team begins at the facility’s perimeter
and works their way in toward the identified critical assets through each line of defense

The inside-out approach is the opposite with the team starting at each critical asset and
working their way out to the perimeter
• In addition to these methods, the inventory process should also include
reviewing any available security documentation including security plans, policies
and procedures, security officer’s post orders, and physical protection system
documentation
Proprietary & Confidential
19
Assess Current Security Measures
Strategic Risk Assessment Process
Asset
Identification
Policies &
Procedures
Proprietary & Confidential
Current
Security
Measures
Physical
Security
Threat
Assessment
Security
Personnel
Crime
Analysis
Vulnerability
Assessment
Cost
Benefit
Analysis
Risk
Assessment
Report &
Recommendations
20
Security Plans, Policies, and Procedures
• Security policies and procedures may include:










Security Management Plan
Abduction Plan
Elopement Plan
Emergency Management Plan
Bomb Threat Plan
Active Shooter Plan
Visitor Management Plan
Vendor Management Plan
Medical Records/Computer protection procedures
Cyber Security Plan
Proprietary & Confidential
21
Physical Security Equipment
• Physical security equipment can include:
 Alarm systems
 Closed circuit television systems
 Access control systems
 Perimeter security systems
o
Doors
o
Fence/Barriers
 Lighting control devices
Proprietary & Confidential
22
Security Personnel
• Security personnel include:




Proprietary security force
Contractual security personnel
Off-duty law enforcement officers
Other personnel who serve in a protection
capacity
• Typical physical security include:


Measures will depend on the nature of the
hospital; however, many physical security
measures are common across various hospitals
For example, closed circuit television is
commonly deployed at most hospitals
Proprietary & Confidential
23
Safety and Security for High Risk, Problem Prone Areas
• Verbal and non-verbal threats

De-escalation techniques
• Workplace violence
• Combative patients


Highest degree non fatal assaults on health care workers
Staff training on de-escalating
• Use of MRI – designation “safe” zones



Claustrophobia
Anxiety
Implants
Proprietary & Confidential
24
Safety and Security for High Risk, Problem Prone Areas (Continued)
• Policies in place to support the Plan
• Examples include:


Patient abduction
Sensitive areas
o
ICU, OB, Emergency Department, Pediatrics, Behavioral Health, Nuclear Medicine
(CMS §482.53(b) Radioactive materials must be prepared, labeled, used, transported,
stored and disposed of in accordance with acceptable standards of practice)
o
Suicide risk in the Emergency Department and
Behavioral Unit
o
–
Window openings
–
How do you identify environmental risk?
Care of prisoners
Proprietary & Confidential
25
Threat Assessment
Strategic Risk Assessment Process
Asset
Identification
Policies &
Procedures
Proprietary & Confidential
Current
Security
Measures
Physical
Security
Threat
Assessment
Security
Personnel
Crime
Analysis
Vulnerability
Assessment
Cost
Benefit
Analysis
Risk
Assessment
Report &
Recommendations
26
Threat Assessment
• Threats are specific events or conditions that seek to obtain, damage, or
destroy a hospital asset
Historical information is the primary source
 Other threats may emerge without a historical context. For example, an MERS
outbreak is a potential emerging threat to hospitals.

• Regardless of an emerging or existing threat, information regarding
criminal incidents, security breaches, and other threats should be shared
• The focal points of threat assessments are assets (targets) and the
threats that seek to compromise those targets
• Who are the bad guys? Evaluating each threat on the basis of capability,
intent, and impact of an attack
Proprietary & Confidential
27
Threat Analysis
• The threat analysis helps identify
potential risks to the facility and
assist in the development of a
comprehensive assessment tool
• Specific threats are identified and
analyzed so security measures
can be implemented to eliminate
or reduce imminent threats as
well as potential threats to
patients, visitors, staff, and
physical assets
Proprietary & Confidential
• Every hospital needs to conduct an
initial “threat analysis” followed by
annual self-assessments to meet
regulatory standards as well as
industry norms
• To meet full compliance, it is
important for hospitals to develop an
on-going assessment program with
well defined security protocols,
policies, and procedures, reinforced
with education and training
28
Contributing Factors to Potential Threats
Contributing factors in identifying potential threats to the safety and security of a facility
include, but are not limited to, the following:
• Geographical location
• Physical design and layout of campus and surrounding property
• Number of uncontrolled access points into and out of the Facility
• Criminal demographics surrounding the hospital and campus
• Security incident data within the hospital as well as incidents on campus
• Level of physical security
• Organizational issues
• Previous security sentinel events
• Quality of the Security Management Program
• Employee security awareness associated with on-going educational programs
• Administration and management support
Proprietary & Confidential
29
Vulnerability Assessment
Strategic Risk Assessment Process
Asset
Identification
Policies &
Procedures
Proprietary & Confidential
Current
Security
Measures
Physical
Security
Threat
Assessment
Security
Personnel
Crime
Analysis
Vulnerability
Assessment
Cost
Benefit
Analysis
Risk
Assessment
Report &
Recommendations
30
Definition of Vulnerability and Risk
• Vulnerabilities are those things that
make the hospital more prone to
security related problems, such as
crime, unauthorized access, and
damage from natural disasters
• Risk is the result of threats and
vulnerabilities. Without the potential
for a threat and a vulnerability
coming together in time and space,
risk is undetermined or non-existent
Proprietary & Confidential
• A simplified example may be a
small town hospital which has
open access to the facility and
limited visitor management
(vulnerability), but no historical
security incidents (threat), thus
the risk to the hospital is low
31
Vulnerability Assessment
• The primary tool of a vulnerability assessment is the
security survey, which identifies and measures the
vulnerabilities at the hospital by determining what
opportunities exist to attack, obtain, or damage the
hospital’s assets
 Questions and checklists that guide the
assessment team during off-site
preparations and on-site inspections
of the facility
Proprietary & Confidential
32
Vulnerability Analysis
• Vulnerabilities are weaknesses or gaps in a security program that
can be exploited by threats to gain unauthorized access to an
asset. Simply stated, vulnerabilities are opportunities
• A systematic approach is necessary to assess a hospital’s security
posture and analyze the effectiveness of the existing security
program
• Vulnerability assessments measure the security programs
effectiveness, compare it against valid security metrics, and
provide recommendations for determining the need for additional
security measures, security equipment upgrades, changes in
policies and procedures, and manpower needs
Proprietary & Confidential
33
What Is the Organization’s Policy on Identification Badges?
• All employees will display their photo identification badge at all times
while on facility property
• All employees will wear their badges at chest level
• The following is description of individual badges that can be obtained:







Physician
Clinician
Women’s Services
Student
Contractor
Volunteer
Other
Proprietary & Confidential
34
Safety and Security for Other Security Personnel
• Forensic Process – Ask for
training process for forensic
personnel. Evaluate staff’s
knowledge on the admission
process and use of forensic
personnel. For example,
Emergency Department.
• Security Officers/Guards – is this a contracted service?
Has the contracted services been
evaluated, did security officers/guards attend
required hospital orientation. Evaluate after hours
security process to ensure the hospital is
secured as outlined in plan.
Proprietary & Confidential
35
What Is the Role of Security Personnel in the Use of Restraints?
What is the
security’s role in a
restraint
situation?
Proprietary & Confidential
Upon an order
from a physician,
the security
officer(s) will
provide seclusion
and apply
restraints
Use the least
amount of force
necessary
Use measures to
protect the rights,
dignity, safety and
well being of the
patient
36
Why Have a Vehicular Access and Traffic Control Plan?
• Hospitals need to ensure emergency vehicles such as
ambulances, police vehicles, and fire department vehicles
have direct access to the Emergency Department or
designated locations
Proprietary & Confidential
37
Is It the Outsider or the Insider You Have to Worry About?
• Hospitals must also be aware of security threats that emanate
from within the workforce, as even the most resilient security
plan can be cracked by an authorized insider

In late April 2010, a registered nurse at
the St. Joseph's Regional Medical
Center in New Jersey, US, pleaded
guilty to stealing hospital equipment
worth $300,000 and selling it online

Nurse taken out in hand-cuffs for
theft by taking a drug diversion***

Local prison drug ring involving local hospital***
Proprietary & Confidential
38
What Is Security’s Role in Finding a Missing or Abducted Patient?
• Conduct search of hospital property until patient is found
• Gather any additional information about the patient that
will be helpful toward finding the patient
• Assist staff in notifying appropriate Police Department
Proprietary & Confidential
39
Infant Protection Program "Code Pink"
• What is security’s role in an infant abduction?






Stop the person from leaving
the premises
Obtain license number
Locate the infant and the
abductor
Immediately return the infant
back to the Mother and Child center
Upon an alarm or call of an abduction, members of the Police & Security
Department will respond immediately to the area of the alarm
Monitor all persons exiting the hospital
Proprietary & Confidential
40
Strategic Risk Assessment
Strategic Risk Assessment Process
Asset
Identification
Policies &
Procedures
Proprietary & Confidential
Current
Security
Measures
Physical
Security
Threat
Assessment
Security
Personnel
Crime
Analysis
Vulnerability
Assessment
Cost
Benefit
Analysis
Risk
Assessment
Report &
Recommendations
41
Risk Management Process
• The primary component of risk
management is the risk assessment
process whereby risks are monitored
and addressed on a continual basis
• This process consists of the
identification of threats, vulnerabilities,
and risks to the hospital with the end
goal of selecting appropriate security
measures to reduce identified risks
Proprietary & Confidential
42
Risk Analysis
Threats
Proprietary & Confidential
Vulnerabilities
Risks
43
Best Strategy for Mitigating Risk
Combination of Three Things
Decreasing
Threats
Proprietary & Confidential
Reducing
Consequences
Blocking
Opportunities
44
Risk Mitigation Strategies
Avoidance
Removes
the desired
target
but
hampers
operations
Proprietary & Confidential
Reduction
Driving
force is to
protect all
assets
Spreading
Transfer
Acceptance
Relocation of the
asset to minimize
or
compartmentalize
the threat to one
particular area
Remove the
risk to a third
party insurance
Hospital
assumes the
risk to an
asset, typically
after reducing
the risk level to
an acceptable
level
45
Risk Assessment Analysis
• The purpose of risk assessment step is to reduce the risk to an
acceptable and manageable level
• Mitigating risk involves identifying strategies that reduce
threats and vulnerabilities through the implementation of
additional security measures or other means
The logical analysis of the previous steps which included asset
identification, security inventory, threat assessment, and vulnerability
assessment.
 Should be benchmarked against industry standards and guidelines to
evaluate cost-benefit and/or make other recommendations

Proprietary & Confidential
46
Collaborative Management
Proprietary & Confidential
47
Organization Plan for Emergency Preparedness
§482.41(a) The condition of the physical plant and the
overall hospital environment must be developed and
maintained in such a manner that the safety and wellbeing of patients are assured
 Assuring the safety and well being of patients includes
developing/implementing emergency preparedness plans and
capabilities
 Identify likely risk e.g. natural disasters, bioterrism threats,
disruption of utilities such as water, sewer, electrical
communications, fuel, etc.
Proprietary & Confidential
48
Environment of Care Standards and Regulations
CMS Requirements §482.41 Condition of Participation
• Physical Environment: The hospital must be constructed,
arranged, and maintained to ensure safety of the patient, and to
provide facilities for diagnosis and treatment and for special
hospital services appropriate to the needs of the community.
§482.41(a) Standard: Buildings
The condition of the physical plant and the overall hospital
environment must be developed and maintained in such a
manner that the safety and well being of patients are assured
TAG: A-0701
Proprietary & Confidential
49
Test and Stress the Security System Through the Drills and the Real
• Evaluation of event scope and objectives
• Designee to document performance and opportunities during drills
and real encounters
• Evaluation of sustainability and inventory sheets and plans for
identified short falls
• Multidisciplinary evaluation/changes based on performance and
responses
• How does the event tie in with the organization or community
EOP?

Are we singing the same song?
Proprietary & Confidential
50
Annual Review of Effectiveness Crime Analysis
• In summary, the review of safety and security events is crime
analysis
• Crime, or security, analysis seeks to:






Evaluate actual risk within the organization and ranks the areas by risk level
Reduce crime on the property by aiding in the proper allocation of asset
protection resources
Justify security budgets
Continually monitor effectiveness of the security program
Provide evidence of due diligence
Reduce liability exposure
Proprietary & Confidential
51
Quality Monitoring and Report of Findings for the
Safety and Security Program
• IF IT IS NOT DOCUMENTED, IT WAS NOT DONE!
• At least once a QTR
 To EOC/Safety Committee
 Forwarded to Quality Council,
MEC, and Board
 As new services are added
 Changes occur in existing services
Proprietary & Confidential
52
How Can Organizations be Successful in Meeting the Safety and
Security Standards?
• Educate and train ALL STAFF - Directors and department managers
in safety and security standards and organization expectations
• Hold them accountable for working collaboratively with Facilities
staff in assessing their areas and reporting their findings in a timely
manner
• Most important is to develop a “tracking mechanism” for assessing
vulnerabilities
Proprietary & Confidential
53
Proprietary & Confidential
54
Proprietary & Confidential
55
Creating a Sustainable Futurefor Healthcare Organizations
Proprietary & Confidential
56